/* ---- Google Analytics Code Below */

Saturday, April 23, 2022

Think of Ransomware as a Data Management Problem

As most things can be thought of.   Just reading work of Turing, Von Neumann et al, and their early work was all about how you effectively stored things and used them,  though its safety had not yet come up. 

Ransomware: Why It’s Time to Think of it as a Data Management Problem

Enrico Signoretti. Mar 23, 2022 -- Blog in  GigaOm

Over the last couple of years, ransomware has taken center stage in data protection, but very few people realize it is only the tip of the iceberg. Everybody wants to protect their data against this new threat, but most solutions available in the market focus just on relatively quick recovery (RTO) instead of detection, protection, and recovery. In fact, recovery should be your last resort.

Protection and detection are much more difficult measures to implement than air gaps, immutable backup snapshots, and rapid restore procedures. But when well-executed these two stages of ransomware defense open up a world of new opportunities. Over time, they will help defend your data against cybersecurity threats that now are less common, or better said, less visible in the news—such as data exfiltration or manipulation. And again, when I say less visible, it is not only because the incidents are not reported, it is because often nobody knows they happened until it’s too late!

Security and Data Silos

Now that data growth is taken for granted, one of the biggest challenges most organizations face is the proliferation of data silos. Unfortunately, new hybrid, multi-cloud, and edge infrastructures are not helping this. We are seeing what we might call a “data silo sprawl”–a multitude of hard-to-manage data infrastructure repositories that proliferate in different locations and with different access and security rules. And across these silos there are often rules that don’t always follow the company’s policies because the environments are different and we don’t have complete control over them.

As I have written many times in my reports, the user must find a way to consolidate all their data in a single domain. It could be physical—backup is the easiest way in this case—or logical, and it is also possible to use a combination of physical and logical. But in the end, the goal is to get a single view of all the data.

Why is it important? First of all, once you have complete visibility, you know how much data you really have. Secondly, you can start to understand what the data is, who is creating and using it, when they use it, and so on. Of course, this is only the first step, but, among other things, you start to see usage patterns as well. This is why you need consolidation: to gain full visibility.


Now back to our ransomware problem. With visibility and pattern analysis, you can see what is really happening across your entire data domain as seemingly innocuous individual events begin to correlate into disturbing patterns. This can be done manually, of course, but machine learning is becoming more common, and subsequently, analyzing user behavior or unprecedented events has become easier. When done right, once an anomaly is detected, the operator gets an alert and suggestions for possible remediations so they can act quickly and minimize the impact of an attack. When it is too late, the only option is a full data recovery that can take hours, days, or even weeks. This is principally a business problem, so what are your RPO and RTO in case of a ransomware attack? There really aren’t many differences between a catastrophic ransomware attack and a disaster that make all of your systems unusable.

I started talking about ransomware as malware that encrypts or deletes your data, but is this ransomware the worst of your nightmares? As I mentioned before, such attacks are only one of the demons that keep you up at night. Other threats are more sneaky and harder to manage. The first two that come to mind are data exfiltration (another type of prevalent attack where ransom is demanded), and internal attacks (such as from a disgruntled employee). And then of course there is dealing with regulations and the penalties that may result from the mishandling of sensitive data.

When I talk about regulations, I’m not joking. Many organizations still take some rules lightly, but I would think twice about it. GDPR, CCPA, and similar regulations are now in place worldwide, and they are becoming more and more of a pressing issue. Maybe you missed that last year Amazon was fined €746,000,000 (nearly $850,000,000) for not complying with GDPR. And you would be surprised at how many fines Google got for similar issues (more info here). Maybe that’s not much money for them, but this is happening regularly, and the fines are adding up.  ... ' 

No comments: